scsi: sg: assorted memory corruptions

From: Dmitry Vyukov
Date: Mon Jan 22 2018 - 06:07:26 EST

Hello,

The following program triggers assorted memory corruptions on 4.15-rc9:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

#define SG_NEXT_CMD_LEN 0x2283

int main()
{
int fd = open("/dev/sg0", O_RDWR);
long len = 9;
ioctl(fd, SG_NEXT_CMD_LEN, &len);
char* p = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x24\x00"
"\x00\x00\x00\x00\x00\x1c\xbb\xac\x14\x00\xaa\xe0\x00\x00\x01"
"\x00\x07\x07\x00\x00\x59\x08\x00\x00\x00\x80\xfe\x7f\x00\x00\x01";
write(fd, p, 46);
return 0;
}

Run it in a loop as "while ./a.out; do true; done". Below are some
manifestations, but it really looks it smashes heap badly and then it
manifests in a random way:


general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 11158 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #65
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
RIP: 0010:find_stack lib/stackdepot.c:173 [inline]
RIP: 0010:depot_save_stack+0x108/0x440 lib/stackdepot.c:225
RSP: 0018:ffff88007118ed68 EFLAGS: 00010002
RAX: 0000000033ae8ebb RBX: 00000000891e24d1 RCX: 0000000000000002
RDX: 0000000024208bf1 RSI: 0000000001000000 RDI: ffff88007118edc0
RBP: ffff88007118edb0 R08: 1ffff1000e231d77 R09: ffff88007118edd8
R10: 00000000e160d61a R11: 00000000f692b9a9 R12: 000000000000000d
R13: 0000000000000068 R14: 0001800800008008 R15: 00000000000e24d1
FS: 00000000023e4940(0000) GS:ffff88002db00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b9bc25000 CR3: 000000007d476000 CR4: 00000000000026e0
DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
save_stack+0xa3/0xd0 mm/kasan/kasan.c:453
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xc5/0x160 mm/slab.c:3803
__mmu_notifier_mm_destroy+0x116/0x1c0 mm/mmu_notifier.c:323
mmu_notifier_mm_destroy include/linux/mmu_notifier.h:297 [inline]
__mmdrop+0x104/0x3f0 kernel/fork.c:908
mmdrop include/linux/sched/mm.h:43 [inline]
finish_task_switch+0x44c/0x6f0 kernel/sched/core.c:2671
context_switch kernel/sched/core.c:2802 [inline]
__schedule+0x842/0x1e10 kernel/sched/core.c:3375
schedule+0xe8/0x420 kernel/sched/core.c:3434
freezable_schedule include/linux/freezer.h:172 [inline]
futex_wait_queue_me+0x3af/0x770 kernel/futex.c:2548
futex_wait+0x374/0x9e0 kernel/futex.c:2663
do_futex+0xe20/0x2750 kernel/futex.c:3545
SYSC_futex kernel/futex.c:3605 [inline]
SyS_futex+0x368/0x485 kernel/futex.c:3573
entry_SYSCALL_64_fastpath+0x24/0x8c
RIP: 0033:0x4482b9
RSP: 002b:0000000000a2f908 EFLAGS: 00000206 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 00000000004482b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000071becc
RBP: 00000000000000bb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000a2f910 R11: 0000000000000206 R12: 00000000000003b7
R13: 0000000000000b5a R14: 00000000c59c644d R15: 0000000000000000
Code: 75 b8 48 89 7d c0 41 81 e7 ff ff 0f 00 4e 8b 34 fd 60 f9 ed 87
4d 85 f6 74 5e 4d 63 ec 49 c1 e5 03 eb 08 4d 8b 36 4d 85 f6 74 4d <41>
39 5e 08 75 f2 45 3b 66 0c 75 ec 49 8d 76 18 4c 89 cf 4c 89
RIP: find_stack lib/stackdepot.c:173 [inline] RSP: ffff88007118ed68
RIP: depot_save_stack+0x108/0x440 lib/stackdepot.c:225 RSP: ffff88007118ed68
---[ end trace a25d77609c7bff29 ]---


[ 71.351814] general protection fault: 0000 [#1] SMP KASAN
[ 71.352992] Modules linked in:
[ 71.353611] CPU: 3 PID: 3724 Comm: bash Not tainted 4.15.0-rc9+ #65
[ 71.354666] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[ 71.356440] RIP: 0010:thread_group_cputime+0x4b8/0x1000
[ 71.357354] RSP: 0018:ffff88005dbff658 EFLAGS: 00010206
[ 71.358240] RAX: 0000000000000005 RBX: dffffc0000000000 RCX: 1ffff1000cf0b917
[ 71.359403] RDX: ffff88005dbff838 RSI: 1ffff1000bb7ff06 RDI: 0000000000000028
[ 71.360757] RBP: ffff88005dbff800 R08: ffff88005dbff840 R09: ffff88006454a280
[ 71.362314] R10: ffff88006b06e1c0 R11: ffff88006785c1c0 R12: fffffffffffffa70
[ 71.363800] R13: ffff88005dbff830 R14: ffffed000bb7fef3 R15: ffff88005dbff7d8
[ 71.365291] FS: 00007fb375f95700(0000) GS:ffff88006cb80000(0000)
knlGS:0000000000000000
[ 71.366990] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 71.368198] CR2: 00000000006edbd4 CR3: 00000000637fb002 CR4: 00000000001606e0
[ 71.369710] Call Trace:
[ 71.370259] ? print_unlock_imbalance_bug+0x70/0x70
[ 71.371297] ? account_idle_time+0x1b0/0x1b0
[ 71.372292] ? lock_downgrade+0x8e0/0x8e0
[ 71.373148] ? lock_downgrade+0x8e0/0x8e0
[ 71.374036] thread_group_cputime_adjusted+0x6b/0xd0
[ 71.375086] ? task_cputime_adjusted+0x240/0x240
[ 71.376067] wait_consider_task+0x1a91/0x38b0
[ 71.376987] ? graph_lock+0x160/0x160
[ 71.377780] ? graph_lock+0x160/0x160
[ 71.378568] ? exit_notify+0xb60/0xb60
[ 71.379381] ? print_unlock_imbalance_bug+0x70/0x70
[ 71.380420] ? find_held_lock+0x35/0x1d0
[ 71.381262] ? lock_acquire+0x1f7/0x4f0
[ 71.382151] ? do_wait+0x3ba/0x9d0
[ 71.382885] ? lock_downgrade+0x8e0/0x8e0
[ 71.383743] ? lock_release+0xaf0/0xaf0
[ 71.384566] ? add_wait_queue+0x19e/0x230
[ 71.385427] ? __wake_up_locked_key_bookmark+0x20/0x20
[ 71.386553] ? task_active_pid_ns+0xd0/0xd0
[ 71.387451] do_wait+0x45b/0x9d0
[ 71.388155] ? wait_consider_task+0x38b0/0x38b0
[ 71.389139] ? tty_vhangup+0x30/0x30
[ 71.389933] ? find_held_lock+0x35/0x1d0
[ 71.390777] ? lock_downgrade+0x8e0/0x8e0
[ 71.391634] ? lock_release+0xaf0/0xaf0
[ 71.392522] ? do_raw_spin_unlock+0x1f0/0x2d0
[ 71.393487] kernel_wait4+0x234/0x3b0
[ 71.394289] ? SyS_waitid+0x50/0x50
[ 71.395041] ? task_stopped_code+0x190/0x190
[ 71.395957] ? sigprocmask+0xf4/0x2e0
[ 71.396746] SYSC_wait4+0x119/0x120
[ 71.397516] ? kernel_wait4+0x3b0/0x3b0
[ 71.398353] ? _copy_to_user+0x85/0xd0
[ 71.399169] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 71.400318] ? SyS_rt_sigprocmask+0x1ca/0x240
[ 71.401251] ? sigprocmask+0x2e0/0x2e0
[ 71.402147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 71.403291] ? security_file_ioctl+0x95/0xc0
[ 71.404210] SyS_wait4+0x2c/0x40
[ 71.404913] entry_SYSCALL_64_fastpath+0x24/0x8c
[ 71.405928] RIP: 0033:0x7fb375671a3e
[ 71.406699] RSP: 002b:00007ffc523ec340 EFLAGS: 00000246 ORIG_RAX:
000000000000003d
[ 71.408297] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fb375671a3e
[ 71.409817] RDX: 000000000000000a RSI: 00007ffc523ec398 RDI: ffffffffffffffff
[ 71.411317] RBP: 0000000000000000 R08: 00000000011c1a48 R09: 0000000000000000
[ 71.412867] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 71.414388] R13: 00000000011abb88 R14: 0000000000000000 R15: 00000000011abd08
[ 71.415888] Code: c0 10 49 39 c6 0f 84 09 01 00 00 48 c1 ef 03 4c
89 ee 49 89 fe 48 c1 ee 03 49 01 de 49 8d bc 24 b8 05 00 00 48 89 f8
48 c1 e8 03 <80> 3c 18 00 0f 85 c7 05 00 00 49 8d bc 24 c0 05 00 00 49
8b 84
[ 71.419966] RIP: thread_group_cputime+0x4b8/0x1000 RSP: ffff88005dbff658
[ 71.421464] ---[ end trace 982cd2844bb6092a ]---



[ 493.794289] BUG: unable to handle kernel paging request at fffff1e03c000220
[ 493.795959] IP: qlist_free_all+0xe4/0x110
[ 493.796893] PGD 0 P4D 0
[ 493.797450] Oops: 0000 [#1] SMP KASAN
[ 493.798274] Modules linked in:
[ 493.798953] CPU: 1 PID: 4273 Comm: a.out Not tainted 4.15.0-rc9+ #65
[ 493.800321] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[ 493.802005] RIP: 0010:qlist_free_all+0xe4/0x110
[ 493.802960] RSP: 0018:ffff88006ae17cb8 EFLAGS: 00010286
[ 493.804073] RAX: 0001800f0000800f RBX: 0000000000000282 RCX: ffffea0000000000
[ 493.805540] RDX: fffff1e03c000200 RSI: 000077ff80000000 RDI: 0000000000000000
[ 493.807061] RBP: ffff88006ae17ce0 R08: 1ffff1000d5c2f68 R09: ffff880063e60040
[ 493.808562] R10: 1ffff1000c7cc115 R11: 0000000000000001 R12: ffff88006ae17cf0
[ 493.810080] R13: 0001800f0000800f R14: ffffffff86acaf20 R15: 0000000000000000
[ 493.812477] FS: 00000000007e9880(0000) GS:ffff88006ca80000(0000)
knlGS:0000000000000000
[ 493.813762] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 493.814678] CR2: fffff1e03c000220 CR3: 000000006b812003 CR4: 00000000001606e0
[ 493.815830] Call Trace:
[ 493.816280] quarantine_reduce+0x141/0x170
[ 493.817011] kasan_kmalloc+0x99/0xe0
[ 493.817607] kasan_slab_alloc+0x12/0x20
[ 493.818254] kmem_cache_alloc+0x10c/0x620
[ 493.818899] ? map_id_range_down+0x1e6/0x400
[ 493.819585] getname_flags+0xd0/0x5a0
[ 493.820184] user_path_at_empty+0x2d/0x50
[ 493.820819] SyS_access+0x254/0x7b0
[ 493.821399] ? SyS_faccessat+0x7c0/0x7c0
[ 493.822061] ? lockdep_sys_exit_thunk+0x16/0x29
[ 493.822814] ? async_page_fault+0x36/0x60
[ 493.823481] entry_SYSCALL_64_fastpath+0x24/0x8c
[ 493.824251] RIP: 0033:0x463327
[ 493.824748] RSP: 002b:00007ffe8b588888 EFLAGS: 00000246 ORIG_RAX:
0000000000000015
[ 493.825938] RAX: ffffffffffffffda RBX: 00000000007ea1f0 RCX: 0000000000463327
[ 493.827132] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 00000000004af1a1
[ 493.828214] RBP: 00007ffe8b588ae8 R08: 00007ffe8b5c1040 R09: 0000000000000000
[ 493.829226] R10: 00000000006c3f20 R11: 0000000000000246 R12: 00007ffe8b588af8
[ 493.830308] R13: 0000000000401d20 R14: 0000000000401db0 R15: 0000000000000000
[ 493.831386] Code: 00 00 00 80 48 01 c2 72 42 48 be 00 00 00 80 ff
77 00 00 48 01 f2 48 b9 00 00 00 00 00 ea ff ff 48 c1 ea 0c 48 c1 e2
06 48 01 ca <48> 8b 72 20 48 8d 7e ff 83 e6 01 48 0f 45 d7 48 8b 7a 30
e9 36
[ 493.834255] RIP: qlist_free_all+0xe4/0x110 RSP: ffff88006ae17cb8
[ 493.835157] CR2: fffff1e03c000220
[ 493.835733] ---[ end trace 1fbd2672ad8e619c ]---